The FBI could soon demand sensitive communication data from European Internet service providers. It would also be possible to have the data retrieved in real time. With this, the European Union wants to make the Trump administration weigh the possibility of being able to query “electronic evidence” on Facebook & Co.

The EU Commission wants to negotiate an agreement with the US government that forces Internet providers based in the European Union to cooperate more with US authorities. The companies would have to grant police forces and secret services from the USA access to the communication of their users. European prosecutors would then also be able to issue an identical order directly to Facebook, Apple and other Internet giants. The legal process via the judicial authorities that has been customary up to now is to be dropped.

The plans are part of the “E-Evidence” regulation, with which the EU wants to facilitate the publication of “electronic evidence”. This includes user data (name, date of birth, postal address, telephone number), access data (date and time of use, IP address), transaction data (transmission and reception data, location of the device, protocol used) and all content data.

Implementing Agreement with the US Government

The planned EU regulation is limited to companies seated in the European Union. But because most of the desired data is stored in the USA, the EU Commission is planning an implementation agreement with the US government. This would be possible within the framework of the “CLOUD Act”, which the US government enacted last year. It obliges companies established in the USA to disclose inventory, traffic and content data if this appears necessary for criminal prosecution or averting danger.

The “CLOUD Act” also allows third countries to issue orders to US companies. An agreement necessary for this must be based on reciprocity and thus allow the US government access to companies in the partner countries. The Trump administration, however, demands a concession to be able to listen to content data in real time. Companies based in the EU would then have to transfer this data directly to US authorities.

No possibility of rejection

In March, the EU Commission presented a negotiating mandate with the USA, on which the Council has now agreed with few changes. It is to be adopted at the meeting of EU interior ministers in Luxemburg on 7 June. The current draft does not mention the real-time monitoring measures, only to wait for the US government’s demands.

However, it contains the demand that the US authorities at least inform those EU states on whose territory real-time monitoring takes place. The German government had also called for this. However, such a regulation would not guarantee that an EU member state would be able to object to the interception measures of US authorities.

Special meetings on the EU-US agreement

In cooperation with the US, it is also important whether the content data transmitted from the EU can be used to impose the death penalty or life imprisonment without the convicted person being able to apply for early release. This would be excluded under EU law. However, there is no such provision in the Commission’s draft negotiating mandate.

Finally, under certain circumstances, the US authorities would be allowed to pass on the content data obtained to other states. This is another reason why the EU interior ministers are calling for close participation in the negotiations on the planned EU-US agreement. The Commission should report regularly to the relevant Council Working Party on Cooperation in Criminal Matters and, if necessary, convene special meetings.

Duplication with the Council of Europe

At the level of the Council of Europe, the issuing of “electronic evidence” is also being newly regulated. To this end, the Budapest Convention on Cybercrime (the so-called Budapest Convention) will be extended with an annex. In contrast to the European Union, countries such as Russia, Turkey, Australia, Canada, the USA and Japan have also signed the Council of Europe Convention.

As with the “CLOUD Act”, the EU Commission negotiates the Budapest Convention on behalf of all member states with the Council of Europe. A corresponding mandate is also to be decided by the Council of Interior Ministers on 7 June. By December 2019, a working group intends to submit a draft for the Additional Protocol. The German Government has also sent a member of staff from the Ministry of Justice to the Council of Europe.

EU Commission wants “disconnection clause”

It is still unclear how the E-Evidence Regulation is to be distinguished from the Budapest Convention. The authorities of the EU Member States could theoretically choose whether to issue an order via the Council of Europe or the European Union.

That is why the Commission wants the Budapest Convention to contain a “disconnection clause”. It would oblige EU Member States to always use the “E-Evidence” Regulation for “electronic evidence” in the case of intra-European investigations.

Image: Robert V. Ruggiero on Unsplash.